Back to skill
Skillv1.0.0
ClawScan security
OpenClaw Automation Architecture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 7:53 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only architecture / design guide for OpenClaw automations and its declared requirements and actions align with that purpose.
- Guidance
- This skill is a documentation-first architecture guide and appears internally consistent. Before installing, confirm you're comfortable with the agent writing/reading workspace files (state JSON, artifact files) if you follow its templates. Also note that any real external integrations (Zapier/Make/n8n or SaaS connectors) will later require credentials — the skill does not request them now but will advise obtaining them. Finally, autonomous invocation is allowed by default on the platform (not a property of this skill alone); decide whether you want the agent to be able to trigger automation flows without manual approval.
- Findings
[no_regex_matches] expected: The static scanner had no findings because this is an instruction-only skill with no executable code; that is expected for a documentation/architecture guide.
Review Dimensions
- Purpose & Capability
- okName/description match the content: the skill is a design/architecture guide for OpenClaw-native automation primitives (cron, HEARTBEAT.md, spawned sessions, scripts, MCPs, and external adapters). It does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- okSKILL.md provides prescriptive design rules and templates; it references reading included reference files and suggests storing state in workspace files (JSON, logs, artifacts). Those file I/O recommendations are coherent for an automation architecture guide and do not instruct access to unrelated system locations or secrets.
- Install Mechanism
- okNo install spec and no code files beyond documentation — lowest-risk model. Nothing is downloaded or written by an installer because this is instruction-only.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. References to external workflow platforms (Zapier/Make/n8n) are advisory; any real integration would require explicit credentials later, which the skill does not request.
- Persistence & Privilege
- okalways is false and autonomous invocation remains enabled (the platform default). The skill does not attempt to modify other skills or request permanent elevated presence.